From 997bc8c1c6c5f3678f31fa391e3ac8dbf08a1abd Mon Sep 17 00:00:00 2001
From: Ryan Chen <ryan@torrtle.co>
Date: Mon, 18 May 2026 09:07:26 -0400
Subject: [PATCH] Allow token-only admin access for events with no owner

Skip the user ownership check when event.user_id is NULL so
existing events created before auth still work with their
admin links.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 handlers.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/handlers.go b/handlers.go
index d74f1ca..bb1b47d 100644
--- a/handlers.go
+++ b/handlers.go
@@ -468,9 +468,9 @@ func (s *Server) authorizeAdmin(w http.ResponseWriter, r *http.Request, isPage b
 		return nil
 	}
 
-	if s.features.Auth {
+	if s.features.Auth && event.UserID.Valid {
 		user := s.currentUser(r)
-		if user == nil || !event.UserID.Valid || user.ID != event.UserID.Int64 {
+		if user == nil || user.ID != event.UserID.Int64 {
 			if isPage {
 				http.Redirect(w, r, "/e/"+slug, http.StatusSeeOther)
 			} else {